Friday, December 17, 2004


Every now and again, I see posts ('specially in the public lists) about security tools. Many times, the poster says, "...if you want a tool that does X, go to this site...", without naming the tool that he (or she, just to be fair) has in mind. I still see posts that say, "Go to and get the PSTools...", when not a single one of the PSTools will meet the needs expressed by the original poster.

Many times, people just don't seem to understand that like anything else, tools have limitations. Take fport.exe from FoundStone, for excellent tool and one of the first of its kind, but it has to be run from an account that has admin privileges. Just something to keep in mind. My personal preference for such tools (i.e., process-to-port mapping) is openports.exe.

Depending on what I'm doing, I may prefer to use CLI (command line interface) tools over the ones with the nice GUIs (say "gooey"). This is largely due to the fact that the CLI tools send their output to STDOUT, i.e., the screen. From there, it can be easily redirected to a file, or captured and sent out over a socket to a waiting server, as is the case with the Forensic Server Project. Don't get me wrong, GUI tools have their place and can be useful, but it still comes down to the right tool for the right job. Many times I see folks posting in the lists about how they find some unusual activity coming from a system, and while they can administer the machine, they can't get to it physically to run their GUI tools. That's where the CLI versions of the tools come into long as you have the necessary network connection, you can use the tools (some may require that you also use psexec.exe) to get the information you need.

Another tool I like to use is tlist.exe (from the Microsoft Debugger Tools, not the Resource Kit). This is a great tool that allows you to retrieve process information from a system. You can, of course, get the process name and PID, as you can with pslist.exe and Task Manager, but you will also be able to retrieve the command line used to launch the tool. This is especially useful in incident response, as the name of the process alone doesn't do you much good, but knowing where in the file system to find the executeable image, and what arguments were used to launch the process, are extremely helpful.

More info to come on tools...